feat(bridge02): Initialize and add instructions to the README
Some checks failed
Check meta / check_meta (push) Failing after 25s
Check meta / check_dns (push) Successful in 45s
build configuration / build_vault01 (push) Successful in 3m33s
build configuration / build_storage01 (push) Successful in 3m36s
build configuration / build_compute01 (push) Successful in 3m37s
build configuration / build_web02 (push) Successful in 2m56s
lint / check (push) Successful in 24s
build configuration / build_web01 (push) Successful in 3m45s
build configuration / build_rescue01 (push) Successful in 1m29s
build configuration / push_to_cache (push) Successful in 3m24s

This commit is contained in:
Tom Hubrecht 2024-07-10 17:31:04 +02:00
parent 0e8f752d79
commit 680682f520
Signed by: thubrecht
SSH key fingerprint: SHA256:r+nK/SIcWlJ0zFZJGHtlAoRwq1Rm+WcKAm5ADYMoQPc
11 changed files with 316 additions and 40 deletions

View file

@ -8,3 +8,97 @@ Some instruction on how to contribute are available (in french) in [/CONTRIBUTE.
You're expected to read this document before commiting to the repo.
Some documentation for the development tools are provided in the aforementioned file.
# Adding a new machine
The first step is to create a minimal viable NixOS host, using tha means necessary.
The second step is to find a name for this host, it must be unique from the other hosts.
> [!TIP]
> For the rest of this part, we assume that the host is named `host02`
## Download the keys
The public SSH keys of `host02` have to be saved to `keys/machines/host02.keys`, preferably only the `ssh-ed25519` one.
It can be retreived with :
```bash
ssh-keyscan address.of.host02 2>/dev/null | awk '/ssh-ed25519/ {print $2,$3}'
```
## Initialize the machine folder and configuration
- Create a folder `host02` under `machines/`
- Copy the hardware configuration file generated by `nixos-generate-config` to `machines/host02/_hardware-configuration.nix`
- Create a `machines/host02/_configuration.nix` file, it will contain the main configuration options, the basic content of this file should be the following
```nix
{ lib, ... }:
lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
];
enabledServices = [
# List of services to enable
];
extraConfig = {
services.netbird.enable = true;
};
root = ./.;
}
```
## Fill in the metadata
### Network configuration
The network is declared in `meta/network.nix`, the necessary `hostId` value can be generated with :
```bash
head -c4 /dev/urandom | od -A none -t x4 | sed 's/ //'
```
### Other details
The general metadata is declared in `meta/nodes.nix`, the main values to declare are :
- `site`, where the node is physically located
- `stateVersion`
- `nixpkgs`, the nixpkgs version to use
## Initialize secrets
Create the directory `secrets` in the configuration folder, and add a `secrets.nix` file containing :
```nix
let
lib = import ../../../lib { };
in
lib.setDefault { publicKeys = lib.getNodeKeys "host02"; } [ ]
```
This will be used for future secret management.
## Update encrypted files
Both the Arkheon, Netbox and notification modules have secrets that are deployed on all machines. To make those services work correctly, run in `modules/dgn-records`, `modules/dgn-netbox-agent` and `modules/dgn-notify` :
```bash
agenix -r
```
## Commit and create a PR
Once all of this is done, check that the configuration builds correctly :
```bash
colmena build --on host02
```
Apply it, and create a Pull Request.

View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5bS3iBXz8wycBnTvI5Qi79WLu0h4IVv/EOdKYbP5y7

View file

@ -0,0 +1,20 @@
{ lib, pkgs, ... }:
lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
];
enabledServices = [
# List of services to enable
"network"
];
extraConfig = {
services.netbird.enable = true;
environment.systemPackages = [ pkgs.bcachefs-tools ];
};
root = ./.;
}

View file

@ -0,0 +1,53 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ modulesPath, pkgs, ... }:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
initrd = {
availableKernelModules = [
"xhci_pci"
"ehci_pci"
"ahci"
"sd_mod"
"sr_mod"
];
};
kernelModules = [ "kvm-intel" ];
kernelPackages = pkgs.linuxPackages_latest;
supportedFilesystems.bcachefs = true;
};
fileSystems = {
"/" = {
device = "UUID=3da58b64-a2fd-428d-bde8-3a185e2f73fd";
fsType = "bcachefs";
options = [ "compression=zstd" ];
};
"/boot" = {
device = "/dev/disk/by-uuid/4D0A-AF11";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.vlan-admin.useDHCP = lib.mkDefault true;
# networking.interfaces.vlan-uplink-oob.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = "x86_64-linux";
hardware.cpu.intel.updateMicrocode = true;
}

View file

@ -0,0 +1,79 @@
_:
{
networking = {
useNetworkd = true;
useDHCP = false;
nftables.enable = true;
firewall.allowedUDPPorts = [ 67 ];
};
systemd.network = {
networks = {
"10-eno1" = {
name = "eno1";
networkConfig = {
VLAN = [
"vlan-admin"
"vlan-uplink-oob"
];
LinkLocalAddressing = false;
LLDP = false;
EmitLLDP = false;
IPv6AcceptRA = false;
IPv6SendRA = false;
};
# address = [ "192.168.222.1/24" ];
};
"10-vlan-admin" = {
name = "vlan-admin";
# DHCP for the BMC
networkConfig.DHCPServer = "yes";
dhcpServerConfig = {
PoolOffset = 128;
EmitDNS = false;
EmitNTP = false;
EmitSIP = false;
EmitPOP3 = false;
EmitSMTP = false;
EmitLPR = false;
UplinkInterface = ":none";
};
address = [
"fd26:baf9:d250:8000::ffff/64"
"192.168.222.1/24"
];
};
"10-vlan-uplink-oob" = {
name = "vlan-uplink-oob";
networkConfig.DHCP = "ipv4";
};
};
netdevs = {
"10-vlan-admin" = {
netdevConfig = {
Name = "vlan-admin";
Kind = "vlan";
};
vlanConfig.Id = 3000;
};
"10-vlan-uplink-oob" = {
netdevConfig = {
Name = "vlan-uplink-oob";
Kind = "vlan";
};
vlanConfig.Id = 500;
};
};
};
}

View file

@ -0,0 +1,5 @@
let
lib = import ../../../lib { };
in
lib.setDefault { publicKeys = lib.getNodeKeys "bridge01"; } [ ]

View file

@ -1,4 +1,10 @@
{
bridge01 = {
hostId = "f57f3ba0";
interfaces = { };
};
compute01 = {
interfaces = {
eno1 = {

View file

@ -19,6 +19,22 @@
- luj01 -> VM de Luj
*/
{
bridge01 = {
site = "hyp01";
stateVersion = "24.05";
adminGroups = [ "fai" ];
deployment = {
targetHost = "fd26:baf9:d250:8000::ffff";
sshOptions = [
"-J"
"vault01.hyp01.infra.dgnum.eu"
];
};
};
web01 = {
site = "rat01";

Binary file not shown.

View file

@ -1,42 +1,44 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA K2855nHVjrWY+Do/Iz8whCnQYMYl6QCMlBClpTRf4TI
LTRqDw9oukc2JA8DKqJSMfXeOJZCITpV6Gkh0tC4RC8
-> ssh-ed25519 QlRB9Q xeLR2Pt8t5kC10g2aMIxTNbrNJN4j4mBlC6cidqy4BQ
HSrxWUWxRCmLVrXy9C9zYP8jc7rRMKvN4YgKp82rAgQ
-> ssh-ed25519 r+nK/Q Q2YybcpErKl8IfT3hoewrAOLJnC/rRgnZPa3RBampSE
enGIkp9ZAz/J/KdiKg0ZVCvsHKi2f8+THb6wpJ9MVm8
-> ssh-ed25519 jIXfPA FhSZKBAccqBqfeayNqY3fhYSi+0NMxsxS3WsdvuVu2M
xT37RUaShiHdPBUnjWntSY43LqXsR8Pgz5kUZ/mgz2w
-> ssh-ed25519 QlRB9Q xwok3cJ6SlGxlGi/UesKHVf+O4q9mn7btLweXJzeknI
LrigakDhwhHCHEaJ0eQx6TIke9vYLqXwwaUjusWOvSk
-> ssh-ed25519 r+nK/Q DS8/iUfczVGxB/Hl6EkweNAGSM0ZhWqrFy4xn82QNH8
0Z8KOLZtxh2c0JTeiPbz3ZDF3CYrDs7bmwKjjemTs0o
-> ssh-rsa krWCLQ
nQAoYm+rR20EFbXEE/F0Dks6kQP2JdA904j2e7FfQEd1i6pA6mPcbuy1IslgRd1R
UjJzHamUGO91bNSqQI/+6l2883JJVwazNxgY8pZaWC7BzGYlfDITTTQm9ITPd7Eg
7W4DAcrf1h5EU7GZfsGXgFtcnLPCBGRsPoAIbeS2hN6JcQP8c66Ubizt7eIOqFab
880k+cjjJXespuMODavBzFJCshQJwezYcH0S26vyVAF1UJk3H2Yuj1lI+ofT69ef
0k+bhG/dC0axlQaym3N7CvAZ8XibjydXCdJjk8u3z54p5Sv89MZMJHaNb5rvcbzY
CBQRMjHWLFfVhTKvBt1OwA
-> ssh-ed25519 /vwQcQ SXuM/Ssc11v/IGgZbSRiNvtAQvVcLa7PB3xm9mcOX0Q
xH+65+t3XbnXxPk8ha+i4PuIKvevJ0yHPZofFX/yw60
-> ssh-ed25519 0R97PA UQK8FggCF5e0ePV5TsctCzdzDh+xIleJkhRRNMn/8EE
+wpRiZFeUhUyV7nVKNu71X5jPmzMNDSVp1IWDw5aeOs
-> ssh-ed25519 JGx7Ng HE1LAFeYk2HmuYoYrHtO1zhTKjPhfyNF0h4JjRgGwzA
6VS4Oa70W6ZCKmbBWQ9vSHdy6W8RpFfX7mqQ53anfO8
-> ssh-ed25519 5SY7Kg dXmbbDbI859IYD0jf3PAVPFmMq0zV6Lwvte4jUBkSBs
UfV7hAYLtTSeyLskbwh9Jj9vjJpvwydsdsKmgtiK+hw
-> ssh-ed25519 p/Mg4Q /3jLavRHKgo5Oz+kKVwKHOmJVV7JbxxE3Y1DstD1OHI
tvhr/65+l7X9R8GmXNPB9Dwu0dtbQNcs+MUXgDRC+Xk
-> ssh-ed25519 tDqJRg xYM5dqCmh53artXhIfUvsmjwRzLxZQO+/tampI2RbSY
LSRsicMA7S8xdPYzh3lIEneazrGrRhjuQdN1I27YbV0
-> ssh-ed25519 9pVK7Q 7dQilI3mmyb6F+gMp+z1i9Os6Prff5CLLbPUFvawTHk
GtlUtsE2sB/jr7H52qTQcRRKgqJ/f2bDNetYPF4oBPw
-> ssh-ed25519 /BRpBQ 9dcoKWc+bTkmVkTxgwzJ6bhuUq39JWajYhD5vd+XAjU
ti+oXuQkM4QX7LFLjTyL52gsi8D1efU3sqC23jqTNrk
-> ssh-ed25519 +MNHsw VCfgC5V+1u3iaO0JqC6hnvngUJsg77wfsvoIiawcECc
9HCtIUt3vBccTkW6tub0GNU0gJ6Oxou5QgRly7kO370
-> ssh-ed25519 rHotTw 5e5Q+cjsNFq4KbqOA0KczyJEclHO5dyTJxsRvVZRvkc
uavyfil+elUz3AQjIJ/UTaCpod2f4V7JWbYso3j+ePs
-> ssh-ed25519 +mFdtQ 07KoGFU7pAivpypZZ7g3o/l+jhi7aDyVO7qg4qJo1CQ
Zthd7uchFTYNb7c9/+isX8BbnN0m6G1eFuohxJrX0KQ
-> ssh-ed25519 0IVRbA B1AUTNW9N30rr3MVFBfT/H9eivnjh6p6585/gxu+7SY
VZ0IqaGWSeqA7j3XP+B2HWXf2UYB5SpHImreAA7uqA8
-> ssh-ed25519 IY5FSQ c0v+PlVESbYTq87dAeYaZNnjY6eCUBIcvHM2ymwoX0g
0i6eaJVVtljUQZvdd7y2tcKX6cObCxTE4OO0MEqHriQ
--- gSYlbAC2ojK59TsNxtU9sAww3kpFfgOngL9+kdzx/to
#äĉÌ/áÉîÃÔL'€ÀM̨|H<>²ö(ðzpÝe0¶ê) ¥ËÈ<>öŽèJÌ<4A>&©•¤<E280A2>@
CDqVAHHD/1keQdgJZX5/hkiYMpZae1MocI5LjtWWg+QDkw1Bp6bNZLou8Uc2RG0H
xZIB+z1XSXf7iMla5l7RWbW+g61T38QKWoAwvAGFz+XOstBTDY4bWgSv1g6vm+6x
XuQLxCkj4cmy3dUsvaiiQXsstuMGOWSUbp2OQWfErzoVegHVCr/XKSAI1vMwQOWN
9tJUJCKEo2DTr5OmIL7kSWguVZYy77ta7JxmGbPrNQ7LJuRoZkUgX4V37SFgDKN4
QgpupxXP/3oDhDSzZYbS6Fw+b7U01BwPyziY1kOYztv2qSoBJFMVtZS3oJEu4ChU
7MRHaN15cGZRsC5zIQAg9w
-> ssh-ed25519 /vwQcQ ZPWBCoQ7imVFfTkUYrp4NGRnz3vskNtMgbV41F1s8BE
oTrgDNisd8Sqmxo0ZDpVSO5iURWNLrIlKABjys+gHhw
-> ssh-ed25519 0R97PA CgUUW9m8+M1rpsCPAPyRC8VKvilDKMA8VkDqqDfbpAs
qJ/pa3VLh6650lDN5YPyYtxsDYMiRyTtK1yu+JeF3ww
-> ssh-ed25519 JGx7Ng r8OMU9Grvd8yxzzUzeEH4iCPp8NBHVcQKQe13AJOKjE
eYC+/VMsoetiVFTGdlAL3xDDe6WziBYU4Fr6XN/HlJI
-> ssh-ed25519 5SY7Kg 4T4xlrNW8yqI23A3GH7dRDyhbUA62ldS2/R7YCsHz0U
ukewT84UtQcAQNNSNogi3WOjoNeA7p50D1JHJ+39lYs
-> ssh-ed25519 p/Mg4Q EBlu4oYIa4hX5mGExy2xwyHbnDli9xY7MebUOr+hTzw
TqmNgHL1xxyI+i4h3KgskVsWrlYUnuT5MJWcYj2crps
-> ssh-ed25519 DqHxWQ KiCWC6eJOUScSlPNpC2G2FbfD/fQ2b14KHhuw+QKNTI
Un89T6OXiXWTBZqwdXPvyckxcBIhp2wmC4A5723b/5g
-> ssh-ed25519 tDqJRg k5YZwwURv21NC/0tt2r3CBuUPDhfO/Y7c3ISVhMGQkA
sdm+SpychoEekD6JK6Wz2CCcfDpwPD6rlLyB3RJES08
-> ssh-ed25519 9pVK7Q 2kUnZCmNsAu90KA+st/ZFnez8rg4zqIZ3AZQsqHW0y8
YlCXQ5g8vnNboPVHdSKyrdwRNvjwp9VHP+RV2WP7z00
-> ssh-ed25519 /BRpBQ w+kqiukijvXdlvKdTfVvNYv6pLTifaZeagzU1VWQLwE
RKNPvu971viqMHBXpgE9D8L9ievWxIS5ANU8QADqwRY
-> ssh-ed25519 +MNHsw m+K/VIApzxBfYxc4/dPod+9TwBBTrtGa/B28QhawAD8
gwJLtE5zIiNtKZ/YdroneSLLuZzvoAXaJYsqPzPkyLc
-> ssh-ed25519 rHotTw NSgFCgFQxKc7DSrNq/77PAnAKxSG055gutF2aUUDLzA
uL3QhQHmtQrrUPllFtVf7QiLIMWkT0EYIokxUVkLMrc
-> ssh-ed25519 +mFdtQ otE9brZku3sOSb9IvvTW/eioWDFvMJlsxSUvOcPNwiU
7vV6u7zLv2EfSz3qmY9Sboj2Z5LBwSTxrl4FWm3mYAs
-> ssh-ed25519 0IVRbA kwQNIVhpFtgIlJAAoqk1fqUP9OHN9YGWcYXbT+/bHE0
gDOPJMeDI2eDx+emxUNSb/MW7IRPj8ni3mOLgZV9F0Y
-> ssh-ed25519 IY5FSQ gtGe4X/Vx4oWn0IIUwv6qpWZ250slvT/QMdwVQQrsAQ
yeJ8+BibBiwq2944ruZdek/4tpAqyMnG0RsyzkXQpRg
--- QhDkZSHLpgsvAUk5YhkhD8MNNX6Vlj7CWeQfJ6oEmk0
|`ŸP!ùá+ôÃg&ói¤;¶šªâlÔNn„Äõ¬¸ç¤ °ü4´kWó§#èƒ<C3A8><C692>±€w